New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

GAQM CPEH-001 Exam - Topic 2 Question 13 Discussion

Actual exam question for GAQM's CPEH-001 exam
Question #: 13
Topic #: 2
[All CPEH-001 Questions]

Basically, there are two approaches to network intrusion detection: signature detection, and anomaly detection. The signature detection approach utilizes well-known signatures for network traffic to identify potentially malicious traffic. The anomaly detection approach utilizes a previous history of network traffic to search for patterns that are abnormal, which would indicate an intrusion. How can an attacker disguise his buffer overflow attack signature such that there is a greater probability of his attack going undetected by the IDS?

Show Suggested Answer Hide Answer
Suggested Answer: D

ADMmutate is using a polymorphic technique designed to circumvent certain forms of signature based intrusion detection. All network based remote buffer overflow exploits have similarities in how they function. ADMmutate has the ability to emulate the protocol of the service the attacker is attempting to exploit. The data payload (sometimes referred to as an egg) contains the instructions the attacker wants to execute on the target machine. These eggs are generally interchangeable and can be utilized in many different buffer overflow exploits. ADMmutate uses several techniques to randomize the contents of the egg in any given buffer overflow exploit. This randomization effectively changes the content or 'signature' of the exploit without changing the functionality of the exploit.


by Alishia at May 08, 2022, 06:28 PM

Limited Time Offer

25%

Off

Get Premium CPEH-001 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Mollie
4 months ago
Signature detection is outdated; anomaly detection is where it's at!
upvoted 0 times
...
Domitila
4 months ago
Wait, can you really change the signature with tools like ADMmutate? Sounds too good to be true!
upvoted 0 times
...
Dorethea
4 months ago
NOOP sleds can be effective, but they aren't foolproof.
upvoted 0 times
...
Veronika
4 months ago
I think using a dynamic return address is pretty risky though.
upvoted 0 times
...
Miss
5 months ago
Polymorphic shell code is definitely a game changer for evading detection.
upvoted 0 times
...
Nu
5 months ago
I have a vague memory of shellcode techniques, but I can't recall if using a reverse telnet would really help with evasion. It seems too obvious.
upvoted 0 times
...
Eulah
5 months ago
I practiced a question similar to this, and I think chaining NOOP instructions could be effective too. But I'm leaning towards option D for the signature change.
upvoted 0 times
...
Leatha
5 months ago
I remember studying how polymorphic shellcode can change its appearance to evade detection. I think option D might be the right choice.
upvoted 0 times
...
Corrie
5 months ago
I'm not entirely sure, but I feel like using a dynamic return address could also help in disguising the attack. It seems like it could confuse the IDS.
upvoted 0 times
...
Nichelle
5 months ago
This is a tricky one. I'm not super familiar with the details of Facebook ad metrics, so I'm a bit confused about the best way to approach this. I'll try to eliminate the options that don't seem quite right, and then make an educated guess.
upvoted 0 times
...
Leota
5 months ago
This question is testing my knowledge of Python's object model. I'll need to double-check the syntax and behavior to make sure I get this right.
upvoted 0 times
...
Lenny
5 months ago
This question seems to be testing our understanding of different decision-making strategies. I think the key is to identify the specific de-biasing strategy used by the threat intelligence manager to resolve the competing hypotheses.
upvoted 0 times
...

Save Cancel